Guide

How to Tell If Your Website Has Been Hacked

Catching a hack early limits the damage to your business and reputation.

Not every hack is obvious. While some attackers deface a site loudly, many work quietly in the background, using your website to send spam or scam your visitors while you carry on unaware.

Knowing the warning signs means you can act fast. The sooner a hack is caught, the less damage it does to your customers, your reputation, and your search rankings.

Common warning signs

Watch for content you did not add: strange pages, pop-ups, or links to unrelated, often dubious products. Your site running noticeably slower or behaving oddly can also be a clue.

You might be locked out of your own admin area, or notice unfamiliar user accounts. Sometimes the first sign is a customer or supplier telling you something looks wrong.

Signals from outside

Search engines and browsers often spot a hack before you do. A warning that your site "may be hacked" in search results, or a red browser screen telling visitors the site is dangerous, are serious red flags.

A sudden, unexplained drop in traffic can also point to a hack, as search engines may quietly demote or flag a compromised site to protect their users.

What to do about it

If you suspect a hack, act quickly. Avoid logging in over unsecured connections, change your passwords, and get professional help to clean the site properly rather than guessing.

A clean-up needs to remove the malicious code, close the weakness that let it in, and restore from a known-good backup. Skipping any step risks the hack simply returning.

What to do the moment you discover a hack

Take the site offline immediately — enable maintenance mode or ask your host to suspend the account. A hacked site that remains online can infect visitors, spread malware and be blacklisted by Google. Speed matters more than diagnosis at this first stage.

Do not restore immediately from the most recent backup — it may be compromised. Check backup timestamps against when the breach occurred and restore from the last clean version. Identify and fix the vulnerability before going back live — outdated plugins and themes account for the majority of WordPress breaches. Change all passwords: WordPress admin, FTP, database and hosting.

FAQs

Common questions.

Can a website be hacked without me knowing?
Yes. Many hacks are deliberately hidden so attackers can misuse your site for as long as possible. Regular monitoring helps catch them early.
What should I do first if I think I am hacked?
Avoid panic changes, secure your passwords, and get professional help to clean the site and close the weakness properly, then restore from a clean backup.
Can visitors get infected by malware on a hacked site without clicking anything suspicious?
Yes — attackers sometimes inject hidden code that runs automatically when someone loads a page, putting your visitors at risk without any obvious sign anything is wrong. This is one of the reasons we run malware scans on every site we maintain rather than waiting for a visible problem to appear.
How we can help

Turn this into action.

The services behind this guide.

Related guides

More on website care & tech.

Want a hand putting this into practice?

Book a free, no-obligation consultation with a Norwich-based specialist.

Book a free consultation
Get started

Let's put your business in a better light.

Book a free, no-pressure consultation. We'll talk through your goals and tell you honestly what we'd do — whether you work with us or not.

  1. 01
    Tell us a bitFill in the form — two minutes, tops.
  2. 02
    We'll call you backWithin one working day, no pressure.
  3. 03
    Get a clear planHonest advice and a fixed quote.

Free · No obligation · We reply within one working day

Book a free consultation